Shodan Mega Cheat Sheet
The most complete list of Shodan dorks, filters, and queries for educational and security research only.​

 Disclaimer
This is for educational, research, and awareness purposes.
Shodan searches are legal.
Accessing or exploiting exposed systems without permission = illegal hacking.

 Basic Syntax

 Code:

keyword
"exact phrase"
-keyword
keyword1 OR keyword2
before:2024-01-01
after:2024-01-01
has_screenshot:true

 Common Filters

 Code:

ip:1.2.3.4
net:1.2.3.0/24
port:3389
country:"US"
city:"London"
region:"California"
geo:"40.7128,-74.0060,25"
org:"Google"
isp:"Comcast"
os:"Windows 7"
product:"Apache"
version:"2.4.49"
http.title:"Login"
http.html:"Index of /"
http.component:"WordPress"
http.favicon.hash:-247388890
ssl:"Let's Encrypt"
ssl.cert.subject.cn:"example.com"
ssl.cert.expired:true
vuln:CVE-2021-44228

 Common Ports

 Code:

21   FTP
22   SSH
23   Telnet
25   SMTP
53   DNS
80   HTTP
443  HTTPS
445  SMB
1433 MSSQL
1521 Oracle
3306 MySQL
3389 RDP
5432 PostgreSQL
5900 VNC
6379 Redis
8006 Proxmox
8080 HTTP-alt
9200 Elasticsearch
27017 MongoDB
32400 Plex

 Web Applications

 Code:

http.title:"phpMyAdmin"
http.component:"WordPress"
http.component:"Drupal"
http.component:"Joomla"
http.title:"Kibana"
http.title:"Grafana"
http.title:"Zabbix"
http.title:"Solr Admin"
http.title:"Confluence"
http.title:"Jira"
http.title:"Redmine"
http.html:".git/config"
http.html:".env"

 Databases

 Code:

"MongoDB Server Information" port:27017 -authentication
"200 OK" "elastic indices" port:9200
"redis_version" port:6379
"Welcome" port:5984
"PostgreSQL" port:5432
"mysql_native_password" port:3306
"Starting listening for CQL clients" port:9042
"Set-Cookie: mongo-express=" "200 OK"

 Remote Admin Panels

 Code:

http.title:"WHM Login"
http.title:"Plesk"
http.title:"Login to Webmin"
http.title:"Nagios"
"Proxmox" port:8006
http.title:"Citrix Gateway"
http.title:"FortiGate"
http.title:"GlobalProtect Portal"
"OpenVPN" http.title:"Access Server"
http.title:"pfSense"
"HP-iLO"
"Server: iDRAC"
"Server: ATEN"
"APC Management Card"
"Server: Bomgar" "200 OK"

 Cloud / DevOps

 Code:

http.title:"Kubernetes Dashboard"
"X-Jenkins" "Set-Cookie: JSESSIONID" http.title:"Dashboard"
"Docker Containers:" port:2375
"Docker-Distribution-Api-Version: registry" "200 OK" -gitlab
title:"Weave Scope" http.favicon.hash:567176827
"etcdserver" "raft" port:2379
"X-Consul-Index"
"Vault" port:8200
"RabbitMQ Management"
"ActiveMQ Console"
"Spark Master at"
"Resourcemanager" port:8088

 IoT Devices / Cameras

 Code:

title:"AXIS"
title:"Foscam"
title:"TP-Link"
title:"Hikvision"
title:"Vivotek"
title:"AVTech"
title:"Wansview"
title:"Panasonic Network Camera"
http.title:"DVR_H264 ActiveX"
"Server: yawcam" "Mime-Type: text/html"
("webcam 7" OR "webcamXP") http.component:"mootools" -401
"Server: IP Webcam Server" "200 OK"
http.title:"Synology DiskStation"
"Server: Logitech Media Server" "200 OK"
"X-Plex-Protocol" "200 OK" port:32400
"CherryPy/5.1.0" "/home"
http.title:"Kodi"

 ICS / SCADA

 Code:

"Server: Prismview Player"
"in-tank inventory" port:10001
P372 "ANPR enabled"
mikrotik streetlight
"voter system serial" country:US
"Cisco IOS" "ADVIPSERVICESK9_LI-M"
"[2J[H Encartele Confidential"
http.title:"Tesla PowerPack System" http.component:"d3" -ga3ca4f2
"Server: gSOAP/2.8" "Content-Length: 583"
"Cobham SATCOM" OR ("Sailor" "VSAT")
title:"Slocum Fleet Mission Control"
"Server: CarelDataServer" "200 Document follows"
http.title:"Nordex Control" "Windows 2000 5.0 x86" "Jetty/3.1"
"[1m[35mWelcome on console"
"DICOM Server Response" port:104
"Server: EIG Embedded Web Server" "200 Document follows"
"Siemens, SIMATIC" port:161
"Server: Microsoft-WinCE" "Content-Length: 12581"
"HID VertX" port:4070
"log off" "select the appropriate"

 Vulnerabilities

 Code:

vuln:ms17-010
vuln:CVE-2014-6271
vuln:heartbleed
vuln:CVE-2019-0708
vuln:CVE-2020-1472
vuln:CVE-2021-34527
vuln:CVE-2021-44228
"Anonymous FTP login allowed"
"220" "230 Login successful." port:21
port:445 "NT_STATUS_ACCESS_DENIED"
"Authentication: disabled" port:445
"Authentication: disabled" NETLOGON SYSVOL -unix port:445
"Authentication: disabled" "Shared this folder to access QuickBooks files OverNetwork" -unix port:445
"Apache/2.2.15"
"Microsoft-IIS/6.0"

 Printers & Copiers

 Code:

"Serial Number:" "Built:" "Server: HP HTTP"
ssl:"Xerox Generic Root"
"SERVER: EPSON_Linux UPnP" "200 OK"
"Server: EPSON-HTTP" "200 OK"
"Server: KS_HTTP" "200 OK"
"Server: CANON HTTP Server"

 Home Devices

 Code:

"Server: AV_Receiver" "HTTP/1.1 406"
"\x08_airplay" port:5353
"Chromecast:" port:8008
"Model: PYNG-HUB"
"Android Debug Bridge" "Device" port:5555

 Gaming Servers

 Code:

"Minecraft Server" "protocol 340" port:25565
"Half-Life" "Server"
"Rust Server"
"ARK Survival Evolved"
"FXServer"

 Fun / Weird

 Code:

title:"OctoPrint" -title:"Login" http.favicon.hash:1307375944
"ETH - Total speed"
"stratum" "mining"
http.title:"Index of /" http.html:".pem"
http.html:"* The wp-config.php creation script uses this file"
http.title:"phpinfo()" "PHP Version"
port:17 product:"Windows qotd"
"X-Recruiting:"
net:175.45.176.0/22,210.52.109.0/24,77.94.35.0/24

Read the full article: https://luckyy.uk/shodan-mega-cheat-sheet/